b"November 2007\nReport No. AUD-08-003\n\n\nFDIC\xe2\x80\x99s Implementation of the\nUSA PATRIOT Act\n\n\n\n\n            AUDIT REPORT\n\x0c                              TABLE OF CONTENTS\n\nBACKGROUND                                                                        2\n\nRESULTS OF AUDIT                                                                  7\n\nIMPLEMENTATION OF EXAMINATION PROCEDURES FOR CUSTOMER                             8\nIDENTIFICATION PROGRAMS\n  Requirements Related to the CIP                                                 9\n  Identification of Apparent Violations                                           9\n  Conclusion                                                                     12\n  Recommendation                                                                 13\n\nIMPLEMENTATION OF EXAMINATION PROCEDURES FOR RISK                                13\nASSESSMENTS\n  Examination Guidance for Risk Assessments                                      13\n  Institution Preparation and Examiner Evaluations of Risk Assessments           15\n  Use of Appendix J in the FFIEC BSA/AML Examination Manual for Assessing Risk   16\n  Recommendation                                                                 17\n\nCORPORATION COMMENTS AND OIG EVALUATION                                          17\n\nAPPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY                                   19\nAPPENDIX II: STATUS OF REGULATIONS AND EXAMINATION PROCEDURES                    26\n             FOR PATRIOT ACT REQUIREMENTS\nAPPENDIX III: CUSTOMER IDENTIFICATION PROGRAM REQUIREMENTS                       28\n\nAPPENDIX IV: CORPORATION COMMENTS                                                30\n\nAPPENDIX V: MANAGEMENT RESPONSE TO RECOMMENDATIONS                               32\n\nTABLES\nTable 1: Status of Examination Procedures for PATRIOT Act Provisions             3\nTable 2: Supervisory and Enforcement Actions for Noncompliance with BSA/AML      4\n         and PATRIOT Act Requirements\nTable 3: Apparent CIP Violations                                                 11\nTable 4: The FDIC\xe2\x80\x99s Activities to Address the Government Performance             22\n          and Results Act\nTable 5: Synopsis of FDIC OIG Prior Audit Coverage of BSA and PATRIOT Act        23\n         Compliance\n\nFIGURES\nFigure 1: Risk Assessment Link to the BSA/AML Compliance Program                  6\nFigure 2: Risk Categories That Should be Considered During the Risk Assessment   14\n          Process\n\x0cACRONYMS\n\nAML           Anti-Money Laundering\nBSA           Bank Secrecy Act\nC&D           Cease and Desist Order\nC.F.R.        Code of Federal Regulations\nCIP           Customer Identification Program\nCMP           Civil Money Penalty\nCSBS          Conference of State Bank Supervisors\nDSC           Division of Supervision and Consumer Protection\nFBA           Federal Banking Agency\nFDI           Federal Deposit Insurance\nFFIEC         Federal Financial Institutions Examination Council\nFIL           Financial Institution Letter\nFinCEN        Financial Crimes Enforcement Network\nGAO           Government Accountability Office\nHIDTA         High Intensity Drug Trafficking Area\nHIFCA         High Intensity Financial Crimes Area\nMOU           Memorandum of Understanding\nOFAC          Office of Foreign Assets Control\nOIG           Office of Inspector General\nONDCP         Office of National Drug Control Policy\nPATRIOT Act   Uniting and Strengthening America by Providing\n               Appropriate Tools Required to Intercept and Obstruct\n               Terrorism Act of 2001\nRD            Regional Directors\nROE           Report of Examination\nTIN           Taxpayer Identification Number\nU.S.C.        U.S. Code\nViSION        Virtual Supervisory Information on the Net\n\x0c                                                                                                                 Report No. AUD-08-003\n                                                                                                                        November 2007\n\n                                                  FDIC\xe2\x80\x99s Implementation of the USA PATRIOT Act\n\n                                                  Results of Audit\n                                                  The FDIC, in conjunction with the FFIEC, has issued comprehensive examination\nBackground and Purpose of Audit                   procedures in the FFIEC BSA/AML Examination Manual designed to assist examiners in\n                                                  evaluating institution compliance with the AML and terrorist financing provisions of the\nThe Uniting and Strengthening America by          PATRIOT Act. Additionally, the FDIC has issued supervisory and enforcement\nProviding Appropriate Tools Required to           guidance on corrective actions for noncompliance with the BSA and PATRIOT Act and\nIntercept and Obstruct Terrorism Act of 2001      referrals of significant BSA violations for possible assessment of civil and/or criminal\n(PATRIOT Act) was signed into law on              penalties. The FDIC has taken action in a number of cases to address noncompliance\nOctober 26, 2001. The PATRIOT Act made            with BSA and PATRIOT Act provisions and related regulations. The FDIC has also\na number of amendments to the anti-money          taken steps to strengthen BSA and PATRIOT Act compliance, including training and\nlaundering (AML) provisions of the Bank           industry outreach, certifications for AML specialists, and establishment of BSA-related\nSecrecy Act (BSA) of 1970, which was              performance measures.\npassed to prevent banks and other financial\nservice providers from being used in criminal     Generally, FDIC examiners implemented examination procedures in the FFIEC\nactivity and to identify the source, volume,      BSA/AML Examination Manual related to the PATRIOT Act. However, the FDIC could\nand movement of currency and other                enhance the implementation of examination procedures with respect to CIPs. The FDIC\nmonetary instruments into or out of the           examiners reviewed CIPs for all 24 of our sampled financial institutions and cited CIP-\nUnited States or deposited in financial           related violations at 5 of those institutions. However, we found other apparent violations\ninstitutions. In addition, the PATRIOT Act        of CIP requirements that were not identified and reported by examiners. The CIP\nexpands the Treasury Department\xe2\x80\x99s authority       requirements are intended to ensure that a financial institution can form a reasonable\nto regulate the activities of U.S. financial      belief that it knows the true identity of its customers. Consistent examiner identification\ninstitutions, particularly their relations with   and reporting of apparent CIP violations can provide the FDIC greater assurance that\nindividuals and entities with foreign ties.       institutions with weak programs for detecting money laundering and terrorist financing\nThe PATRIOT Act requires financial                activity are identified and appropriate and timely corrective measures are taken.\ninstitutions to implement a written, board-\napproved Customer Identification Program          Although not required by statute or regulation, BSA/AML risk assessments are\n(CIP) that is appropriate for the institution\xe2\x80\x99s   emphasized in examination guidance to provide a means for (1) institutions to design\nsize and type of business.                        risk-based BSA/AML compliance programs, which include internal controls, to mitigate\n                                                  risks and (2) examiners to scope and plan their evaluation of the adequacy of BSA/AML\nIn June 2005, the Federal Financial               compliance programs. Concerning the risk assessments, we found that 21 of 24 sampled\nInstitutions Examination Council (FFIEC),         institutions had prepared the assessments. Examiners considered the institution-prepared\nwhich includes the FDIC and other federal         risk assessments in BSA/AML examinations and took appropriate action in the three\nbanking agencies, issued interagency              cases where institutions had not prepared assessments. Although the risk assessment is\nguidance in the FFIEC Bank Secrecy                widely used in the design and examination of BSA/AML compliance programs, we noted\nAct/Anti-Money Laundering Examination             that examiners were inconsistent in addressing and reporting on the risk categories and\nManual. The manual updates examination            factors listed in the FFIEC BSA/AML Examination Manual. However, an Interagency\nprocedures for BSA/AML and PATRIOT                Statement issued in July 2007 on enforcement of BSA/AML requirements specifically\nAct compliance and emphasizes the                 lists risk assessment as part of the system of internal controls mandated for institutions by\nimportance of a BSA/AML risk assessment.          regulation. This guidance should focus additional attention on the examination of risk\n                                                  assessments, including the use of designated risk categories and factors. Therefore, we\nThe audit objectives were to determine            are not making recommendations in this area at this time. Finally, we determined that\nwhether (1) examination procedures are            risk assessments for 8 of the 24 financial institutions were based on a matrix format\ndesigned to evaluate institution compliance       (Appendix J of the examination manual) intended for use by examiners that did not\nwith the AML and terrorist financing              provide for a detailed assessment of risk categories and factors. Use of this matrix in lieu\nprovisions of the PATRIOT Act and                 of a more thorough risk assessment could result in BSA/AML risks not being identified.\n(2) those procedures were fully and\nconsistently implemented to provide               Recommendations and Management Response\nreasonable assurance that institutions with\nweak programs for detecting money                 The report recommends that the Director, DSC (1) clarify guidance to examiners on the\nlaundering and terrorist financing activity       identification and reporting of apparent CIP violations and (2) provide instructions to\nwill be identified and appropriate corrective     examiners to clarify the circumstances under which Appendix J would be sufficient for\nmeasures taken.                                   use as a BSA/AML risk assessment. The FDIC\xe2\x80\x99s planned actions are responsive to our\n                                                  recommendations.\nTo view the full report, go to\nwww.fdicig.gov/2008reports.asp\n\x0cFederal Deposit Insurance                                                                                   Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                                        Office of Inspector General\n\n\nDATE:                                     November 30, 2007\n\nMEMORANDUM TO:                            Sandra L. Thompson, Director\n                                          Division of Supervision and Consumer Protection\n\n\n                                          /Signed/\nFROM:                                     Russell A. Rau\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  FDIC\xe2\x80\x99s Implementation of the USA PATRIOT Act\n                                          (Report No. AUD-08-003)\n\n\nThis report presents the results of the subject FDIC Office of Inspector General (OIG) audit. The\nUniting and Strengthening America by Providing Appropriate Tools Required to Intercept and\nObstruct Terrorism Act of 2001 (PATRIOT Act) 1 was signed into law on October 26, 2001, as a\nresponse to the September 11, 2001 terrorist attacks. Title III of the PATRIOT Act\xe2\x80\x94\nInternational Money Laundering 2 Abatement and Financial Anti-Terrorism Act of 2001 3 \xe2\x80\x94is\nintended to facilitate the prevention, detection, and prosecution of international money\nlaundering and terrorist financing and consists of provisions related to (1) international counter-\nmoney laundering and related measures, (2) Bank Secrecy Act 4 (BSA) amendments and related\nimprovements that supplement U.S. authority provided under the BSA to detect money\nlaundering, and (3) currency crimes and protection. The FDIC\xe2\x80\x99s Division of Supervision and\nConsumer Protection (DSC) monitors FDIC-supervised financial institutions\xe2\x80\x99 compliance with\nthe PATRIOT Act Title III requirements.\n\nThe audit objectives were to determine whether (1) examination procedures are designed to\nevaluate institution compliance with the anti-money laundering (AML) and terrorist financing\nprovisions of the PATRIOT Act and (2) those procedures were fully and consistently\nimplemented to provide reasonable assurance that institutions with weak programs for detecting\nmoney laundering and terrorist financing activity will be identified and appropriate corrective\nmeasures taken. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Appendix I of this report discusses our objectives, scope, and\nmethodology in detail.\n\n\n\n\n1\n  Public Law No. 107-56.\n2\n  Money laundering is the process by which criminals or criminal organizations seek to disguise the illicit nature of\ntheir proceeds by introducing them into the stream of legitimate commerce and finance.\n3\n  Title III of the PATRIOT Act includes 46 sections of which only 12 sections relate to financial institutions. Of\nthose 12 sections, only 8 need examination procedures. There are nine additional titles of the PATRIOT Act that are\nnot related to financial institutions or the FDIC\xe2\x80\x99s supervision and examination of financial institutions.\n4\n  Public Law No. 91-508, codified to 31 U.S. Code (U.S.C.), Section 5311 et seq.\n\x0cBACKGROUND\n\nEmphasis on AML efforts, in general, and the international fight against money laundering and\nterrorist financing, in particular, has risen significantly since the September 11, 2001 terrorist\nattacks. The PATRIOT Act made a number of amendments to the AML provisions of the BSA,\nalso known as the Currency and Foreign Transactions Reporting Act. Congress passed the BSA\nto (1) prevent banks and other financial service providers from being used as intermediaries for,\nor to hide the transfer or deposit of, money derived from criminal activity and (2) help identify\nthe source, volume, and movement of currency and other monetary instruments transported or\ntransmitted into or out of the United States or deposited in financial institutions.\n\nThe BSA authorizes the Department of the Treasury (Treasury) to require financial institutions to\nestablish BSA/AML compliance programs; 5 file certain reports that are used in criminal, tax, or\nregulatory investigations or proceedings; and keep certain records of transactions. The BSA\xe2\x80\x99s\nimplementing regulation 6 is used to aid law enforcement agencies in the investigation of\nsuspected criminal activity such as illegal drug activities, income tax evasion, and money\nlaundering by organized crime. The PATRIOT Act expanded the Treasury\xe2\x80\x99s authority to\nregulate the activities of U.S. financial institutions, especially their relations with entities and\nindividuals with foreign ties, and increased the focus on terrorist financing activities. The\nFinancial Crimes Enforcement Network (FinCEN), a bureau of the Treasury, is the delegated\nadministrator of the BSA. FinCEN issues regulations and interpretive guidance, provides\noutreach to regulated industries, and supports the examination function of the Federal Banking\nAgencies (FBA), 7 and pursues civil enforcement actions, when warranted.\n\nExamination Procedures Related to AML and Terrorist Financing Provisions of the\nPATRIOT Act\n\nAlthough overall authority for BSA enforcement and compliance remains with the Treasury, its\nregulations delegate authority to the FBAs, including the FDIC, to examine financial institutions\nfor compliance. In addition, Section 8(s) of the Federal Deposit Insurance (FDI) Act, 8 provides\nthe FDIC authority to examine and enforce compliance at FDIC-supervised financial institutions.\nSince the PATRIOT Act amended the BSA, each BSA/AML examination also encompasses a\n\n\n\n5\n  The FDIC Rules and Regulations, Section 326.8, Bank Secrecy Act Compliance, and Treasury\xe2\x80\x99s implementing\nregulations for BSA/AML and PATRIOT Act compliance, 31 Code of Federal Regulations (C.F.R.) Part 103,\nrequire financial institutions to implement a BSA/AML compliance program that includes the minimum program\nrequirements (referred to as \xe2\x80\x9cpillars\xe2\x80\x9d). The pillars include customer identification programs, systems of internal\ncontrols, independent testing, designated BSA compliance officers, and training for appropriate personnel.\n6\n  31 C.F.R. Part 103.\n7\n  The FBAs are the Board of Governors of the Federal Reserve System, FDIC, National Credit Union\nAdministration, Office of the Comptroller of the Currency, and Office of Thrift Supervision, which together form\nthe Federal Financial Institutions Examination Council (FFIEC).\n8\n  Codified to 12 U.S.C. 1818(s). The FDI Act requires the FDIC to (1) prescribe regulations requiring financial\ninstitutions to establish and maintain procedures reasonably designed to ensure and monitor compliance; (2) review\nsuch procedures during their examinations of these institutions and report problems with compliance in reports of\nexamination; and (3) enforce compliance with the BSA monetary transaction recordkeeping and reporting\nrequirements, including issuance of Cease and Desist (C&D) orders for noncompliance.\n\n\n                                                        2\n\x0creview of financial institutions\xe2\x80\x99 compliance with PATRIOT Act requirements. 9 In June 2005,\nthe FFIEC issued interagency guidance in the FFIEC Bank Secrecy Act/Anti-Money Laundering\nExamination Manual (FFIEC BSA/AML Examination Manual or examination manual) to\nprovide examination procedures related to BSA, AML, PATRIOT Act, and Office of Foreign\nAssets Control (OFAC) 10 compliance. The FFIEC members revised the FFIEC BSA/AML\nExamination Manual in July 2006 11 to update examination procedures related to BSA/AML and\nPATRIOT Act compliance. Table 1 outlines the specific sections of the PATRIOT Act for\nwhich the FDIC and other FBAs have issued examination guidance.\n\n    Table 1: Status of Examination Procedures for PATRIOT Act Provisions\n                                                                                               Examination Procedures\n                                                                                                Included in the FFIEC\n                                                                                               BSA/AML Examination\n                              PATRIOT Act Title III Section*                                           Manual\n     Section 311-Special Measures for Financial Institutions                                             Yes\n     Section 312-Special Due Diligence                                                                   Yes\n     Section 313-Prohibition on U.S. Correspondent Accounts                                              Yes\n     Section 314-Cooperative Efforts to Deter Money Laundering (Information Sharing)                     Yes\n     Section 319-Forfeiture of Funds                                                                     Yes\n     Section 325-Concentration Accounts at Financial Institutions                                        Yes\n     Section 326-Verification of Identification (Customer Identification Programs)                       Yes\n     Section 352-Anti-Money Laundering Programs                                                          Yes\n    Source: OIG review of the FFIEC BSA/AML Examination Manual, dated July 28, 2006.\n    *Some of the names of the Title III sections have been abbreviated for the purposes of this table.\n\nAppendix II provides additional information on the status of regulations and examination\nprocedures for PATRIOT Act sections.\n\nSupervisory and Enforcement Guidance Related to the Identification and Correction of\nBSA/AML Compliance Program Deficiencies\n\nNoncompliance with BSA/AML and PATRIOT Act requirements could expose financial\ninstitutions to actions from the FDIC and other FBAs, Treasury, and/or Department of Justice.\n9\n  DSC conducts BSA/AML examinations in conjunction with FDIC risk management examinations and those of\nstate regulatory agencies that do not incorporate BSA/AML procedures into their examinations. According to DSC,\nas of May 14, 2007, six state regulatory agencies did not review BSA/AML compliance during their examinations.\n10\n   OFAC regulations prohibit financial institutions from engaging in transactions with the governments of, or\nindividuals or entities associated with, foreign countries against which federal law imposes trade or economic\nsanctions. Sanctions also can be used against dangerous groups and individuals, such as international narcotics\ntraffickers, terrorists, and foreign terrorist organizations, regardless of national affiliation.\n11\n   On August 2, 2006, the FDIC issued a Financial Institution Letter (FIL) to FDIC-supervised institutions,\nannouncing the release of the revised FFIEC BSA/AML Examination Manual. The FIL acknowledged that\nthe manual included (1) guidance on risk-based policies, procedures, and processes for banking organizations\nto comply with the BSA and safeguard operations from money laundering and terrorist financing and\n(2) enhanced guidance on the risk assessment process, including the development of BSA/AML risk\nassessments and examiner evaluation of those assessments. In addition to the 2006 revision, the FFIEC\nissued a revised BSA/AML Examination Manual on August 24, 2007. Significant updates to the\n2007 examination manual include clarification on regulatory expectations between lower-risk and higher-risk\ncustomers for customer due diligence purposes.\n\n\n\n\n                                                             3\n\x0cSpecifically, the FDIC can impose supervisory and/or enforcement actions and has issued\nguidance to its examiners that outlines its authority to impose such actions. For example, in\nOctober 2006, the FDIC issued a Regional Directors (RD) memorandum entitled, Enforcement of\nBank Secrecy Act/Anti-Money Laundering Requirements. The memorandum provides specific\nguidance to assist examiners in determining when to recommend C&Ds for noncompliance with\nBSA/AML and PATRIOT Act requirements. In addition, on July 19, 2007, the Interagency\nStatement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements\n(Interagency Statement) was issued by the FBAs, establishing the agencies\xe2\x80\x99 policy on\ncircumstances in which an agency will issue a C&D to address noncompliance with certain\nBSA/AML requirements. The FDIC transmitted the Interagency Statement to the institutions it\nsupervises on August 23, 2007. In accordance with Section 8(s) of the FDI Act, the FDIC is\nauthorized to issue a C&D if an institution has failed to establish and maintain a BSA\ncompliance program or has failed to correct any previously reported problem with the program.\n\nThe FDIC has imposed actions to correct noncompliance with BSA and PATRIOT Act\nprovisions, as indicated in Table 2. In addition, in compliance with an information-sharing\nMemorandum of Understanding 12 (MOU) between FinCEN and the FBAs, the FDIC has\nreferred certain financial institutions to FinCEN for consideration of civil money penalties\n(CMP) for noncompliance with BSA provisions.\n\nTable 2: Supervisory and Enforcement Actions for Noncompliance with BSA/AML and\nPATRIOT Act Requirements\n  FDIC Supervisory and Enforcement Actions         Number of Actions Imposed\n Informal Supervisory Actionsa                                131\n                            b\n Formal Enforcement Actions                                    11\n Referrals Forwarded to FinCEN                                 22\nSource: OIG review of FDIC Formal and Informal Action Tracking System data for the period September 1, 2005\nthrough October 31, 2006; review of ROEs for sampled financial institutions; discussions with DSC officials; and\nreview of referrals that DSC forwarded to FinCEN for the period September 1, 2005 through December 31, 2006.\na\n  Informal supervisory actions include Memorandum of Understanding (MOU), Bank Board Resolution, and any\nother informal action taken by the FDIC.\nb\n  Formal enforcement actions include C&D, CMP, and any other formal action taken by the FDIC.\n\nCustomer Identification Programs\n\nOf the five BSA/AML compliance program pillars (see footnote 5), only the requirement for\nfinancial institutions to implement a Customer Identification Program (CIP) directly resulted\nfrom enactment of the PATRIOT Act. Specifically, Section 326 of the PATRIOT Act, which is\nimplemented through Treasury regulations 31 C.F.R. Part 103.121 and Section 326.8 of the\nFDIC\xe2\x80\x99s Rules and Regulations, requires banks to implement a written, board-approved CIP that\n\n12\n   On September 30, 2004, the FBAs entered into an MOU with FinCEN to provide information related to\nBSA/AML examinations and enforcement actions and each FBA\xe2\x80\x99s BSA examination program. It is FDIC policy to\nrefer significant BSA violations by FDIC-supervised institutions to FinCEN for review and possible assessment of\ncivil and/or criminal penalties. Referrals to FinCEN should generally be considered when the types and nature of\napparent violations of the BSA expose the institution to a heightened level of exposure to potential money\nlaundering activity, demonstrate a willful or flagrant disregard of the requirements of the BSA, or result from\nnonexistent or seriously deficient BSA/AML compliance programs.\n\n\n\n                                                        4\n\x0cis appropriate for the institution\xe2\x80\x99s size and type of business. The CIP must include (1) account-\nopening 13 procedures that specify the identifying information that will be obtained from each\ncustomer, 14 and (2) reasonable and practical risk-based procedures for verifying the identity of\neach customer. These procedures must be based on the bank\xe2\x80\x99s assessment of the relevant risks,\nincluding those presented by the various types of accounts maintained by the bank; the various\nmethods of opening accounts provided by the bank; the various types of identifying information\navailable; and the bank\xe2\x80\x99s size, location, and customer base. The FFIEC BSA/AML Examination\nManual identifies an objective for examiners to assess a bank\xe2\x80\x99s compliance with the statutory\nand regulatory requirements for a CIP. Appendix III provides additional information on the\nrequirements related to CIPs.\n\nRisk Assessments\n\nVarious sections of the PATRIOT Act, such as those addressing CIPs, correspondent accounts, 15\nand concentration accounts, 16 address the linkage between risk and the establishment of\nappropriate controls within the BSA/AML compliance programs of financial institutions. These\nrisks include terrorist financing, money laundering, and other criminal activity. One means by\nwhich institutions can gain an understanding of these risks is through development of a\nBSA/AML risk assessment. BSA/AML risk assessments are not specifically required by statute\nor regulation, but are set forth in the FFIEC BSA/AML Examination Manual as a good business\npractice for institutions to use in developing risk-based controls in their BSA/AML compliance\nprograms and, therefore, also for compliance with the PATRIOT Act. In fact, in the 2006\nversion of the manual, risk assessment was given its own section to emphasize its importance in\nthe design of effective controls at institutions and in the BSA/AML examination process.\nFigure 1, on the next page, shows how the financial institution\xe2\x80\x99s risk assessment links to the\noverall BSA/AML compliance program.\n\n\n\n\n13\n   For CIP purposes, an account is a formal banking relationship to provide or engage in services, dealings, or other\nfinancial transactions and includes a deposit account, a transaction or asset account, a credit account, or another\nextension of credit. An account also includes a relationship established to provide a safe deposit box or other\nsafekeeping services or to provide cash management, custodian, or trust services.\n14\n   For CIP purposes, a customer is defined as a person (an individual, a corporation, partnership, a trust, an estate, or\nany other entity recognized as a legal person) who opens a new account, an individual who opens a new account for\nanother individual who lacks legal capacity, and an individual who opens a new account for an entity that is not a\nlegal person. There are certain situations that can be excluded from the definition of customer for CIP purposes\nsuch as (1) a person who does not receive banking services, for example a person whose loan application is denied;\nor (2) an existing customer, as long as the bank has a reasonable belief that it knows the customer\xe2\x80\x99s true identity.\n15\n   A correspondent account is maintained by a bank with another bank for the deposit or placement of funds for\nthemselves or their customers. Although these accounts may be developed and used primarily for legitimate\npurposes, international correspondent bank accounts may pose increased risk of illicit activities, including money\nlaundering and terrorist financing.\n16\n   A concentration account is an internal account established by the bank to facilitate the processing and settlement\nof multiple or individual customer transactions within the bank, including a suspense, settlement, intra-day, sweep,\nor collection account.\n\n\n\n                                                            5\n\x0c     Figure 1: Risk Assessment Link to the BSA/AML Compliance Program\n\n                 Risk Assessment                                     Internal Controls\n\n                Identify & Measure                                  Develop Applicable:\n                        Risk:                                             Policies\n                      Products                                          Procedures\n                      Services                                            Systems\n                    Customers                                            Controls\n                Geographic Locations\n\n\n\n                                                  Risk-Based BSA Compliance Program:\n                                                             Internal Controls\n                                                                   Audit\n                                                         BSA Compliance Officer\n                                                                 Training\n     Source: FFIEC BSA/AML Examination Manual, Appendix I.\n\n\n\n\nAccording to the FFIEC BSA/AML Examination Manual, examiner scoping and planning for\nfinancial institution examinations generally begins with an analysis of the institution\xe2\x80\x99s\nBSA/AML risk assessment. 17 Examiners should determine whether the institution has\nadequately identified the risk associated with compliance with BSA/AML requirements and\nimplementation of the PATRIOT Act in its banking operations which, as indicated above,\ninclude its products, services, customers, and geographic locations. Further, the July 2007\nInteragency Statement lists risk assessment as part of the system of internal controls, which, like\nthe CIP, is one of the five required pillars of a BSA/AML compliance program.\n\nAdditional Steps to Address PATRIOT Act Compliance\n\nIn addition to issuing FILs to FDIC-supervised institutions to inform them of related examination\nand enforcement guidance, the FDIC has taken a number of steps to strengthen PATRIOT Act\ncompliance. For example, the FDIC has:\n\n      \xe2\x80\xa2   Conducted training and outreach sessions for its examiners and the banking industry,\n          including providing presentations at various industry conferences and seminars targeting\n          BSA/AML and counter-financing of terrorism issues. Training and outreach activities\n          included discussions on the revisions to the 2006 FFIEC BSA/AML Examination Manual.\n\n\n17\n  In addition to reviewing the financial institution\xe2\x80\x99s BSA/AML risk assessment, during the scoping and planning\nprocess, examiners generally analyze prior examination reports and work papers; independent reviews or audit\nresults; and other information, including but not limited to, training documentation, suspicious activity reporting\ndata, and OFAC compliance information.\n\n\n\n                                                          6\n\x0c     \xe2\x80\xa2   Taken steps to ensure that examiners complete a mandatory training curriculum related to\n         BSA/AML and the PATRIOT Act and certified a number of its BSA subject matter\n         experts under the Association of Certified AML Specialists 18 certification program.\n\n     \xe2\x80\xa2   Issued RD Memoranda, including the updated FDIC Risk Management Manual of\n         Examination Policies; various fact sheets; and frequently asked questions on issues such\n         as CIP and information sharing. 19\n\n     \xe2\x80\xa2   Revised BSA-related violation codes to specifically include PATRIOT Act requirements.\n\n     \xe2\x80\xa2   Established performance measures that address BSA/AML and PATRIOT Act\n         compliance.\n\n     \xe2\x80\xa2   Created a National BSA/AML Task Force and participated in various BSA/AML and\n         PATRIOT Act-related working groups to address BSA/AML policy and procedural\n         matters. Under the auspices of the FFIEC BSA/AML Working Group, which was\n         created in June 2004, the FBAs developed the interagency examination procedures in the\n         FFIEC BSA/AML Examination Manual. In addition, the FDIC is a member of the BSA\n         Advisory Group Examination Subcommittee, which meets with the banking industry to\n         solicit feedback regarding money-laundering risks, 20 and works with the Conference of\n         State Bank Supervisors (CSBS) on updates to BSA/AML examination guidance. 21\n\n\nRESULTS OF AUDIT\n\nThe FDIC, in conjunction with the FFIEC, has issued comprehensive examination procedures in\nthe FFIEC BSA/AML Examination Manual designed to assist examiners in evaluating institution\ncompliance with the AML and terrorist financing provisions of the PATRIOT Act. Additionally,\nthe FDIC has issued supervisory and enforcement guidance on corrective actions for\nnoncompliance with the BSA and PATRIOT Act and referrals of significant BSA violations to\nFinCEN for review and possible assessment of civil and/or criminal penalties. Notably, the\nFDIC has taken formal and informal action in a number of cases to address noncompliance with\nBSA and PATRIOT Act provisions and related regulations and made referrals to FinCEN as\nrequired based on the information-sharing MOU with FinCEN. The FDIC has also taken steps to\n\n18\n   The Association of Certified Anti-Money Laundering Specialists is a membership-based organization that serves\nas a platform for career development and professional networking for individuals in the AML field. The\norganization provides resources for financial institutions and related businesses that help train, identify, and locate\nindividuals who specialize in money-laundering control policies, procedures, and regulations.\n19\n   Information sharing relates to Section 314 of the PATRIOT Act (see Appendix II).\n20\n   The BSA Advisory Group was established on March 10, 1994 to give the Treasury advice on strengthening AML\nprograms and simplifying currency reporting forms. The broad-based advisory group includes officials from federal\nand state government agencies, banking and other private-sector enterprises where money-laundering activities are\nsometimes attempted, and law enforcement. The Director of FinCEN serves as the chair of the group, which\nconsists of 52 members; meets bi-annually; and includes subcommittees for issues, including, but not limited to,\nexaminations, suspicious activity reporting, and privacy and security.\n21\n   CSBS provides insight into the state perspective on federal regulatory policy proposals that directly affect state-\nchartered banks and state bank supervisors. CSBS represents state supervisors on the working groups of the FFIEC\nand helps to coordinate issues for the state banking departments on supervisory-related issues.\n\n\n\n                                                          7\n\x0cstrengthen BSA and PATRIOT Act compliance, including training and industry outreach,\ncertifications for AML specialists, and the establishment of BSA-related performance measures.\n\nGenerally, FDIC examiners implemented examination procedures in the FFIEC BSA/AML\nExamination Manual related to the PATRIOT Act. However, the FDIC could enhance the\nimplementation of examination procedures with respect to CIPs. The FDIC examiners reviewed\nCIPs for all 24 of our sampled financial institutions and cited CIP-related violations at 5 of those\ninstitutions. However, we found other apparent violations of CIP requirements that were not\nconsistently identified and reported by examiners. The CIP requirements are intended to ensure\nthat a financial institution can form a reasonable belief that it knows the true identity of its\ncustomers. Consistent examiner identification and reporting of apparent CIP violations can\nprovide the FDIC greater assurance that institutions with weak programs for detecting money\nlaundering and terrorist financing activity are identified and appropriate and timely corrective\nmeasures are taken (Implementation of Examination Procedures for Customer Identification\nPrograms).\n\nAlthough not specifically required by statute or regulation, BSA/AML risk assessments are\nemphasized in examination guidance to provide a means for (1) institutions to design risk-based\nBSA/AML compliance programs, which include internal controls, to mitigate risks and\n(2) examiners to scope and plan their evaluation of the adequacy of BSA/AML compliance\nprograms. Concerning the risk assessments, we found that 21 of 24 sampled institutions had\nprepared the assessments. Examiners considered the institution-prepared risk assessments in\nBSA/AML examinations and took appropriate action in the 3 cases where institutions had not\nprepared assessments. While it is notable that risk assessment is widely used in the design and\nexamination of BSA/AML compliance programs, we observed inconsistencies in addressing and\nreporting on the risk categories and factors listed in the FFIEC BSA/AML Examination Manual.\nHowever, the July 2007 Interagency Statement on enforcement of BSA/AML requirements\nspecifically lists risk assessment as part of the system of internal controls mandated for\ninstitutions by regulation. The Interagency Statement should focus additional attention on the\ndesign and examination of risk assessments, including the use of designated risk categories and\nfactors. Therefore, we are not making recommendations in this area at this time. Finally, we\ndetermined that risk assessments for 8 of the 24 financial institutions were based on a matrix\nformat intended for use by examiners that did not provide for a detailed assessment of risk\ncategories and factors. Use of this matrix in lieu of a more thorough risk assessment could result\nin BSA/AML risks not being identified (Implementation of Examination Procedures for Risk\nAssessments).\n\n\nIMPLEMENTATION OF EXAMINATION PROCEDURES FOR CUSTOMER\nIDENTIFICATION PROGRAMS\n\nThe FDIC could enhance the implementation of examination procedures in the FFIEC\nBSA/AML Examination Manual concerning institution CIPs. Although examiners reviewed\nCIPs for all of the 24 sampled financial institutions and cited CIP-related violations at 5 of those\ninstitutions, we found other apparent violations of CIP requirements in the programs that were\nnot consistently identified and reported by examiners to the FDIC and to financial institution\n\n\n\n                                                 8\n\x0cmanagement. The CIP requirements, such as having procedures to verify a customer\xe2\x80\x99s identity\nprior to opening an account, are intended to ensure that the financial institution can form a\nreasonable belief that it knows the true identity of its customers. Consistent examiner\nidentification and reporting of apparent CIP violations can provide the FDIC greater assurance\nthat institutions with weak programs for detecting money laundering and terrorist financing\nactivity are identified and appropriate and timely corrective measures are taken.\n\nRequirements Related to the CIP\n\nSection 326 of the USA PATRIOT Act 22 requires financial institutions to implement a written,\nboard-approved CIP, appropriate for the institution\xe2\x80\x99s size and type of business, which includes,\nat a minimum, procedures for:\n\n     \xe2\x80\xa2   verifying a customer\xe2\x80\x99s true identity to the extent reasonable and practicable and defining\n         the methodologies to be used in the verification process,\n     \xe2\x80\xa2   collecting specific identifying information from each customer when opening an account,\n     \xe2\x80\xa2   responding to circumstances and defining actions to be taken when a customer\xe2\x80\x99s true\n         identity cannot be appropriately verified with \xe2\x80\x9creasonable belief,\xe2\x80\x9d\n     \xe2\x80\xa2   maintaining appropriate records during the collection of information and verification of a\n         customer\xe2\x80\x99s identity,\n     \xe2\x80\xa2   verifying a customer\xe2\x80\x99s name against a federal government list of known or suspected\n         terrorists or terrorist organizations, 23 and\n     \xe2\x80\xa2   providing customers with adequate notice that the bank is requesting identification to\n         verify their identities.\n\nThe FFIEC BSA/AML Examination Manual directs examiners to assess financial institution\ncompliance with the statutory and regulatory requirements for CIPs. Examiners should verify\nwhether a financial institution\xe2\x80\x99s policies, procedures, and processes include a comprehensive\nprogram to identify customers who open an account after October 1, 2003. The CIP must be\nexamined as part of the institution\xe2\x80\x99s BSA/AML compliance program. Additionally, the manual\nstates that examination findings should be discussed with the bank\xe2\x80\x99s management and all\nsignificant findings must be included in the ROE. In addition, the FDIC\xe2\x80\x99s Risk Management\nManual of Examination Policies provides guidance to examiners related to the institution\xe2\x80\x99s\nwritten, board-approved CIP. The manual outlines specific requirements such as (1) account-\nopening procedures that specify the identifying information to be obtained from each customer,\n(2) procedures for verifying the information, and (3) record retention requirements.\n\nIdentification of Apparent Violations\n\nOur review of written institution CIP policies, examination workpapers, and ROEs for\n24 sampled financial institutions indicated that the institutions\xe2\x80\x99 CIPs did not always address all\nCIP requirements necessary to verify the identity of customers who open new accounts with the\ninstitutions. We also found that examiners were not consistent in some cases in their\n\n22\n  Implemented by 31 C.F.R. 103.121.\n23\n  According to the FFIEC BSA/AML Examination Manual, there are no designated government lists against which\nbanks could compare customer names specifically for CIP purposes.\n\n\n\n                                                     9\n\x0cidentification of apparent violations of CIP requirements. For example, some financial\ninstitutions were cited for not including all required customer verification procedures in their\nCIPs, while others were cited only for apparent violations identified during transaction testing\nperformed as part of the examination, even though the CIPs for those institutions were also found\nto not include all requirements. In fact, for the five financial institutions in our sample where\nCIP violations were cited, examiners\xe2\x80\x99 decisions to cite the institutions were generally based on\nthe results of their transaction testing rather than a review of the CIP. Examiners told us that\nthey do not report in the ROE those deficiencies identified solely in the CIP policies \xe2\x80\x93 rather, the\nexaminers usually recommend orally or informally that bank management consider those\ndeficiencies in updates to the CIP. Additionally, some examiners included recommendations in\nthe ROEs related to complying with CIP requirements but did not cite violations. The\ninconsistencies in reporting could result in weak compliance programs remaining uncorrected for\nextended periods.\n\nBased on our review of the examination workpapers and ROEs for the 24 sampled institutions,\nincluding copies of the institutions\xe2\x80\x99 CIP policies, we determined that:\n\n   \xe2\x80\xa2   CIPs for the 5 institutions cited by DSC examiners for apparent CIP violations had other\n       apparent CIP violations that were not cited in the ROE violations section,\n\n   \xe2\x80\xa2   CIPs for the each of the remaining 19 financial institutions in our sample had at least\n       1 apparent CIP violation that was not cited, and\n\n   \xe2\x80\xa2   3 institutions could have been but were not cited for 5 or more apparent CIP violations.\n\nTable 3, on the next page, provides a synopsis of CIP violations cited by examiners and some of\nthe more frequent apparent CIP violations at the 24 sampled institutions that were not cited by\nthe examiners.\n\n\n\n\n                                                10\n\x0cTable 3: Apparent CIP Violations\n                                                                                                              Number of Apparent CIP Violations\n                                                                                                              Apparent CIP          Apparent CIP\n                                        Violation Description                                               Violations Cited by   Violations not Cited\n (Based on PATRIOT Act Section 326, Treasury 31 C.F.R. Section 103.121, and DSC violation descriptions)         Examiners            by Examiners\nFailure of non-documentary procedures to address certain situations, such as where an individual is                                        15\nunable to present an unexpired government-issued identification document or where the customer opens\nan account without appearing in person.\nFailure of CIP to include procedures when customer\xe2\x80\x99s identity is unknown and the financial institution                                    12\ncannot form a reasonable belief that it knows the true identify of a customer.\nThe CIP does not address when to obtain information about account control when an account is opened                 1                     10\nby a customer that is not an individual, and information about individuals with authority or control over\nsuch account, including signatories, is needed in order to verify the customer\xe2\x80\x99s identify.\nFailure to implement a written CIP appropriate for its size and type of business.                                                          6\n\nFailure of CIP to contain procedures for verifying customer identity within a reasonable time after the                                    3\naccount is opened.\nFailure of CIP to contain procedures that describe nondocumentary methods used, including public                                           3\ndatabases, checking references with other financial institutions, and obtaining a financial statement.\nFailure to keep minimum records required under Section 103.121 for a period of 5 years after the                    4                      3\naccount is closed, including the customer\xe2\x80\x99s name; date of birth for individuals; address; and\nidentification number.\nFailure to obtain minimum information prior to account opening, such as the customer\xe2\x80\x99s name; date of                3\nbirth for individuals; address; and identification number.\nFailure to properly address situations where the Tax Identification Number (TIN) is not obtained,                   1\nincluding confirmation that an application for a TIN was filed before the customer opened the account\nand to obtain the TIN within a reasonable period of time after the account is opened.\nFailure to meet certain conditions if relying on another financial institution, such as an affiliate, to            1\nperform any procedures included in its CIP.\nFailure of CIP to specify which identifying information will be obtained from each customer to open an              1\naccount.\nSource: OIG review of CIPs, examination work papers, and ROEs for sampled financial institutions.\n\n\n\n\n                                                                            11\n\x0cIn summary, although examiners cited some financial institutions for apparent CIP violations, all\n24 of the financial institutions in our sample had apparent violations that were not cited in the\nROEs. The need to cite apparent violations of CIP requirements when they occur was recently\nemphasized in the October 4, 2006 RD memorandum entitled, Enforcement of Bank Secrecy\nAct/Anti-Money Laundering Requirements, which states that apparent violations of individual\npillars of the BSA/AML compliance program (CIP is one of the pillars) should be cited when\ndetected. Importantly, supervisory actions were taken with regard to one of the five sampled\ninstitutions cited in the ROEs for apparent CIP violations but were not taken for the other four\ninstitutions. As established by Section 8(s)(3)(B) of the FDI Act 24 apparent violations that\npersist across multiple examinations are subject to a C&D to correct the underlying compliance\nproblem at the institution. Therefore, it is important for examiners to cite CIP violations when\ndetected.\n\nConclusion\n\nCIPs, which should be designed to ensure that financial institutions know the true identity of\ntheir customers, are required to be included in the institutions\xe2\x80\x99 overall BSA/AML compliance\nprogram and to address all of the program requirements specified by the PATRIOT Act and\nFDIC Rules and Regulations. An effective CIP helps to ensure that a financial institution knows\nthe true identity of its customers and serves as a deterrent to criminal use of the nation\xe2\x80\x99s financial\nsystem. We consider the inconsistencies in the identification and reporting of apparent CIP\nviolations to be indicative of the need for additional instruction to examiners regarding their\nreview of CIPs. Consistent examiner identification and reporting of apparent CIP violations will\nprovide DSC greater assurance that (1) FDIC-supervised financial institutions are complying\nwith BSA and PATRIOT Act requirements and (2) institutions with weak programs for detecting\nmoney laundering and terrorist financing activity are identified and appropriate and timely\ncorrective measures are taken.\n\nDSC stated that, in determining whether there are apparent violations, examiners consider not\nonly the institution\xe2\x80\x99s CIP policy but also any supplemental procedures and forms used by the\ninstitution to ensure BSA compliance. To the extent that these procedures or forms were in the\ninstitution\xe2\x80\x99s overall BSA policy, we included these documents in our review. However, these\nprocedures and forms were not always included in the examination workpapers, so it is possible,\nbased on this supplemental information, that certain deficiencies in institution CIP policies might\nnot be considered apparent violations by the examiners. Also, some examiners informed us that\nthey only cited apparent violations based on transaction testing, while other examiners cited\napparent violations based on CIP policy deficiencies. Consequently, there appears to be a need\nfor additional examination guidance addressing the consideration of supplemental procedures\nand forms in evaluating CIP policies and whether transaction testing is a necessary basis for\nciting apparent CIP violations.\n\n\n\n\n24\n  RD Memorandum entitled, Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements, dated\nOctober 4, 2006, provides guidance on actions that the FDIC is authorized to implement under Section 8(s)(3)(B) of\nthe FDI Act.\n\n\n                                                       12\n\x0cRecommendation\n\nWe recommend the Director, DSC:\n\n 1. Clarify guidance to examiners on the identification and reporting of apparent CIP violations,\n    including the consideration of supplemental procedures and forms and whether transaction\n    testing is a necessary basis for citing apparent CIP deficiencies, to ensure that financial\n    institutions implement CIPs appropriate for their BSA risk profile.\n\n\nIMPLEMENTATION OF EXAMINATION PROCEDURES FOR RISK ASSESSMENTS\n\nAlthough not specifically required by statute or regulation, BSA/AML risk assessments are\nemphasized in examination guidance to provide a means for (1) institutions to design risk-based\nBSA compliance programs, which include PATRIOT Act requirements, to mitigate risks and\n(2) examiners to scope and plan their evaluation of the adequacy of BSA/AML compliance\nprograms. We found that 21 of 24 sampled institutions had prepared risk assessments, and\nexaminers took appropriate action when the assessments were not prepared. While it is notable\nthat risk assessment is widely used by institutions to design BSA/AML compliance programs, we\nobserved inconsistencies in addressing and reporting on the risk categories and factors\ndesignated in the BSA/AML Examination Manual. In addition, we determined that risk\nassessments for 8 of the 24 financial institutions were based on a matrix format, which did not\nprovide for full consideration of the designated risk categories and factors. Use of this matrix in\nlieu of a risk assessment could result in BSA/AML risks not being identified.\n\nExamination Guidance for Risk Assessments\n\nIn 2006, the FFIEC members revised the FFIEC BSA/AML Examination Manual to, among\nother things, add a separate section dedicated to the development and evaluation of financial\ninstitution risk assessments. 25 The guidance states that financial institutions should adequately\nassess and document the risk exposures of the institution by identifying specific products and\nservices, customers and entities, and geographic locations unique to the institution. For example,\ninstitutions located in high-risk geographic areas, such as High Intensity Financial Crimes Areas\n(HIFCA) 26 or High Intensity Drug Trafficking Areas (HIDTA), 27 are normally viewed as having\na higher risk of criminal activity. We noted that 20 of the 24 financial institutions included in\nour sample were located in these high-risk areas. However, geographic location alone does not\n\n\n25\n   The risk assessment section in the FFIEC BSA/AML Examination Manual was also added to promote consistency\nin this area, consolidate previous guidance on this topic, and provide additional instruction and support.\n26\n   HIFCAs, announced in the 1999 National Money Laundering Strategy, were conceived in the Money Laundering\nand Financial Crimes Strategy Act of 1998 as a means to concentrate various levels of law enforcement (federal,\nstate, and local) in high-intensity money laundering areas. Currently, there are seven regional HIFCA groups.\n27\n   The Anti-Drug Abuse Act of 1988 and the Office of National Drug Control Policy (ONDCP) Reauthorization Act\nof 1998 authorized the Director of ONDCP to designate areas within the United States that exhibit serious drug\ntrafficking problems and harmfully impact other areas of the country as HIDTAs. The HIDTA Program provides\nadditional federal resources to those areas to help eliminate or reduce drug trafficking and its harmful consequences.\nCurrently, there are 28 geographical areas designated as HIDTAs.\n\n\n\n                                                         13\n\x0cnecessarily determine a customer\xe2\x80\x99s or transaction\xe2\x80\x99s risk level. Figure 2 provides additional\ndetails on the three risk categories.\n\n\n\n             Figure 2: Risk Categories That Should be Considered During the Risk Assessment Process\n\n   Products and Services                           Customers and Entities\n 9 Funds Transfers                               9 Nonresident Aliens and Accounts of Foreign Individuals\n 9 Private Banking Activities                    9 Politically Exposed Persons\n 9 Correspondent Accounts                        9 Professional Service Providers (such as attorneys and accountants)\n 9 Pouch Activities                              9 Cash Intensive Businesses\n                                                 9 Non-Bank Financial Institutions, including Money Services\n                                                    Businesses\n\n\n                                   Geographic Locations\n                         9 Countries Subject to OFAC Sanctions\n                         9 Countries Identified as Supporting International Terrorism\n                         9 Jurisdictions of Primary Money Laundering Concern\n                         9 Major Money Laundering Countries and Jurisdictions\n                         9 HIFCA\n                         9 HIDTA\n\n Source: 2006 FFIEC BSA/AML Examination Manual.\n\n\nThe FFIEC BSA/AML Examination Manual also discusses five factors to be considered in its\nrisk assessment process:\n\n  \xe2\x80\xa2   purpose of the account,\n  \xe2\x80\xa2   actual or anticipated activity,\n  \xe2\x80\xa2   nature of the customer\xe2\x80\x99s business,\n  \xe2\x80\xa2   customer\xe2\x80\x99s location, and\n  \xe2\x80\xa2   types of products and services used by the customer.\n\nThe factors are applied as part of a detailed analysis of bank data\xe2\x80\x94the risk assessment\xe2\x80\x94to gain\nan understanding of the bank\xe2\x80\x99s risk profile, including the varying levels of risk associated with\nthe institution\xe2\x80\x99s activities and customers. The examination manual states that a risk assessment\nshould be used by the bank to design effective risk-based controls for inclusion in its BSA/AML\ncompliance program. In this regard, the manual indicates that institutions are expected to\naddress the varying levels of risk associated with the categories specified above to facilitate the\ndesign and implementation of effective and efficient controls to mitigate identified risks. In\naddition, the examination manual states that analysis of specific risk factors is important because\nwithin any type of product or category of customer, there will be account holders that pose\nvarying levels of risk.\n\nThe manual also states that examiners should use a risk assessment to scope, plan, and conduct\nexaminations for BSA and PATRIOT Act compliance and to make an ultimate decision on the\nadequacy of the overall BSA/AML compliance program. According to the manual, examiners\nshould review the institution\xe2\x80\x99s risk assessment, if one exists; independent audit results, including\nresults of an independent review of the bank\xe2\x80\x99s BSA/AML risk assessment; and prior examination\n\n\n\n                                                            14\n\x0cresults in addition to other information. If a financial institution has not completed a risk\nassessment or the examiner concludes that the bank\xe2\x80\x99s risk assessment is inadequate, the manual\nstates that the examiner must complete a risk assessment based on available information and use\nAppendix J of the examination manual for that purpose. Further, examiners should conduct\ntransaction testing to evaluate the adequacy of the bank\xe2\x80\x99s compliance with regulatory\nrequirements; determine the effectiveness of its policies, procedures, and processes; and evaluate\nsuspicious activity. The manual states that transaction testing is an important factor in forming\nconclusions about the integrity of the bank\xe2\x80\x99s overall controls and risk management processes.\n\nThe manual further states that examiners should evaluate the adequacy of an institution\xe2\x80\x99s\nBSA/AML risk assessment process. Examiners should also determine whether:\n\n     \xe2\x80\xa2   the BSA/AML compliance program is effectively monitored and supervised in relation to\n         the bank\xe2\x80\x99s risk profile as determined by the risk assessment and ascertain whether the\n         BSA/AML compliance program is effectively mitigating the bank\xe2\x80\x99s overall risk;\n\n     \xe2\x80\xa2   internal controls ensure compliance with the BSA and provide sufficient risk\n         management, especially for high-risk operations (considering products, services,\n         customers, and geographic locations);\n\n     \xe2\x80\xa2   bank management\xe2\x80\x99s lack, or inaccurate assessment, of the bank\xe2\x80\x99s BSA/AML risks could\n         be the underlying cause of policy, procedure, or process deficiencies; and\n\n     \xe2\x80\xa2   there is a need for corrective actions, including the possibility of requiring the financial\n         institution to conduct more detailed risk assessments.\n\nInstitution Preparation and Examiner Evaluations of Risk Assessments\n\nFor the 24 sampled institutions, we determined that 3 institutions had not prepared risk\nassessments. In these cases, examiners took appropriate action. 28 Concerning the remaining\n21 sampled institutions, FDIC examiners considered the institution-prepared risk assessment in\nBSA/AML examinations. However, we noted the following inconsistencies in the design of the\ninstitutions\xe2\x80\x99 risk assessments and related examinations by the FDIC.\n\n     \xe2\x80\xa2   Seven financial institutions had prepared BSA/AML risk assessments that included\n         comprehensive analyses of each of the risk categories and factors in the FFIEC\n         BSA/AML Examination Manual and specified associated risk levels. However, risk\n\n28\n  For two of the three institutions without risk assessments, examiners completed a risk matrix\xe2\x80\x94Appendix J\xe2\x80\x94 in\naccordance with the guidance in the FFIEC BSA/AML Examination Manual. For the third institution, the examiner\nconcluded that the bank had not risk-rated its customer base, including money services businesses, embassy\npersonnel, politically exposed persons, nonresident alien off-shore accounts, and foreign corporations. The bank\nalso had not established and fully implemented risk-based customer due diligence or an adequate suspicious activity\nmonitoring system, nor had the bank\xe2\x80\x99s independent audit addressed these areas or the absence of a BSA/AML risk\nassessment. The examiner cited the bank for violations related to internal controls. Although neither the bank nor\nthe examiner had completed a risk assessment in this case, the examiner took a positive step and recommended an\nMOU that included provisions related to risk assessment, customer due diligence, and suspicious activity\nmonitoring.\n\n\n\n                                                        15\n\x0c       assessments for 14 institutions did not address at least one of the risk categories and\n       factors and/or did not specify an associated risk level.\n\n   \xe2\x80\xa2   Twelve examinations documented an overall conclusion on the adequacy of the risk\n       assessment. In the remaining nine examinations, there was no apparent conclusion.\n\n   \xe2\x80\xa2   Seven institutions had at least two consecutive examinations that identified deficiencies\n       related to the institutions\xe2\x80\x99 risk assessments. However, internal control violations were\n       cited in only four of these seven cases.\n\nIt is notable that institutions are generally using BSA/AML risk assessments as a component in\nthe design and implementation of their compliance programs. As indicated above, 21 of\n24 institutions had prepared risk assessments, and examiners documented conclusions on the\nadequacy of 12 of 21 assessments prepared by the institutions. Consistent examiner\nconsideration and reporting on risk categories and factors listed in the FFIEC BSA/AML\nExamination Manual can provide the FDIC greater assurance that financial institutions identify\nBSA/AML-related risks and design effective risk-based controls necessary to mitigate those\nrisks.\n\nThe Interagency Statement, issued on July 19, 2007, lists risk assessments as part of the system\nof internal controls for purposes of issuing C&Ds. This guidance has the potential to address the\ninconsistencies we noted in the design and examination of financial institution risk assessments.\nSpecifically, the fact that risk assessment is now linked directly to the internal control pillar of\nthe required BSA/AML compliance program focuses institution attention on preparing\ncomprehensive risk assessments. In addition, directly linking the risk assessment to the internal\ncontrol pillar should focus the examiner\xe2\x80\x99s attention on the importance of concluding on the\nadequacy of risk assessments and the citing of violations, where appropriate. Therefore, we are\nnot making recommendations to address this matter at this time.\n\nUse of Appendix J in the FFIEC BSA/AML Examination Manual for Assessing Risk\n\nWhen an institution has not completed or has an inadequate risk assessment, the FDIC expects\nexaminers to obtain a general understanding of a bank\xe2\x80\x99s products and services, customers and\nentities, and geographic locations. The FFIEC BSA/AML Examination Manual instructs\nexaminers to use Appendix J of the manual for this purpose. Because the risk assessment\nprocess should be comprehensive, it is understandable that examiners cannot conduct a detailed\nanalysis of financial institution risks and that the high-level profile provided by Appendix J is\nappropriate for their use. In two cases, we noted that examiners used Appendix J because the\nBSA/AML risk assessment had not been completed by the institution.\n\nHowever, financial institution use of Appendix J does not provide for detailed analysis of data\nrelated to five of the eight risk categories and factors that are part of the risk assessment process\nand evaluation of the bank\xe2\x80\x99s activities. According to the FFIEC BSA/AML Examination\nManual, the complete analysis gives bank management a better understanding of the institution\xe2\x80\x99s\nrisk profile in order to develop the appropriate policies, procedures, and processes to mitigate the\n\n\n\n\n                                                 16\n\x0coverall risk. Specifically, Appendix J does not include a detailed analysis of data for the\nfollowing five factors:\n\n     \xe2\x80\xa2     purpose of the account,\n     \xe2\x80\xa2     actual or anticipated activity in the account,\n     \xe2\x80\xa2     nature of the customer\xe2\x80\x99s business,\n     \xe2\x80\xa2     customer\xe2\x80\x99s location, and\n     \xe2\x80\xa2     types of products and services used by the customer.\n\nThe detailed analysis of the above five risk factors is important because, as stated in the FFIEC\nBSA/AML Examination Manual, within any type of product or category of customer, there will\nbe accountholders that pose varying levels of risk.\n\nWe determined that 8 of the 24 financial institutions had used Appendix J, or a modified version\nof Appendix J, for their risk assessments. Although the manual recognizes that there are many\nformats that banks may use to effectively document a risk assessment, Appendix J, which is\nprovided for examiner use\xe2\x80\x94not institution use\xe2\x80\x94did not provide for a detailed assessment of the\nrisk factors listed above. The inclusion of Appendix J in the manual may give the impression to\nfinancial institutions that this format is acceptable and covers all risk categories and factors that\nshould be assessed by institutions. Therefore, DSC should propose changes to Appendix J to\nclarify that it is not intended to be used by financial institutions in lieu of performing a\ncomprehensive BSA/AML risk assessment.\n\nDSC management indicated to us, during a discussion of our audit results, that institutions are\nnot required to conduct BSA/AML risk assessments, although most institutions do so as a good\nmanagement practice. DSC management also stated that there may be low-risk institutions for\nwhich examiners conclude that Appendix J provides a sufficient risk assessment. However, we\nfound no criteria governing the definition of a low-risk institution or the use of Appendix J in\nlieu of a more comprehensive risk assessment. For example, in one case, we found that a large,\ncomplex institution with elevated BSA/AML risk used Appendix J for its risk assessment.\nInstructions to examiners would be beneficial to clarify the circumstances under which\nAppendix J would be sufficient for institution risk assessments.\n\nRecommendation\n\nWe recommend the Director, DSC:\n\n2.       Provide instructions to examiners to clarify the circumstances under which Appendix J\n         would be sufficient for use as a BSA/AML risk assessment.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn November 20, 2007, the Director, DSC provided a written response to a draft of this report.\nDSC\xe2\x80\x99s response is presented in its entirety as Appendix IV to this report. Regarding\nrecommendations 1 and 2, by March 30, 2008, DSC will remind examination staff of supervisory\n\n\n\n                                                  17\n\x0cexpectations and the appropriate utilization of guidance regarding the identification and reporting\nof apparent CIP violations and use of Appendix J.\n\nDSC\xe2\x80\x99s actions are responsive to our recommendations. A summary of management\xe2\x80\x99s response\nto the recommendations is in Appendix V. The recommendations are resolved but will remain\nopen until we have determined that agreed-to corrective actions have been completed and are\neffective.\n\n\n\n\n                                                18\n\x0c                                                                                    APPENDIX I\n\n\n                       OBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\nThe objectives of this audit were to determine whether (1) examination procedures are designed\nto evaluate institution compliance with the AML and terrorist financing provisions of the\nPATRIOT Act and (2) those procedures were fully and consistently implemented to provide\nreasonable assurance that institutions with weak programs for detecting money laundering and\nterrorist financing activity will be identified and appropriate corrective measures taken. We\nconducted this performance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives. We performed our audit from September\n2006 through May 2007.\n\nScope and Methodology\n\nTo achieve our audit objectives, we:\n\n   \xe2\x80\xa2   Obtained an understanding of FDIC and FFIEC guidance related to examination\n       procedures for determining PATRIOT Act and BSA compliance by reviewing\n       appropriate examiner and financial institution guidance.\n\n   \xe2\x80\xa2   Interviewed DSC officials in Washington, D.C., and selected field offices and\n       representatives of the FDIC\xe2\x80\x99s Legal Division in Washington, D.C.\n\n   \xe2\x80\xa2   Identified and reviewed applicable criteria, including laws, rules, and regulations;\n       examination guidance; and authorities related to examination and enforcement of BSA\n       and PATRIOT Act compliance and the citing and tracking of violations related to\n       compliance.\n\n   \xe2\x80\xa2   Reviewed the following:\n\n             \xe2\x80\xa2   Federal Register notices and other agency and regulatory reports and related\n                 documents to gain an understanding of the FBAs\xe2\x80\x99 roles and responsibilities in\n                 implementing the PATRIOT Act.\n\n             \xe2\x80\xa2   The Treasury\xe2\x80\x99s Web site, including FinCEN\xe2\x80\x99s Web site, to obtain background\n                 information on the BSA and PATRIOT Act and to determine the status of the\n                 Treasury\xe2\x80\x99s rulemaking (proposed, interim, and final rules) related to the\n                 PATRIOT Act.\n\n             \xe2\x80\xa2   Related audit reports issued by the FDIC OIG and GAO.\n\n\n\n\n                                                 19\n\x0c                                                                                                     APPENDIX I\n\nTo address our objective related to whether examination procedures were fully and consistently\nimplemented, we limited our review to CIP and risk assessment-related procedures. In addition,\nwe obtained information from DSC on examinations conducted after the release of the FFIEC\nBSA/AML Examination Manual, issued June 2005, and the updated manual issued July 28,\n2006. We limited the sample universe to examinations completed September 1, 2005 to\nOctober 31, 2006. From those examinations, we selected a non-statistical sample of\nexaminations for 24 FDIC-supervised financial institutions for detailed review. 29 To select the\nsample for review, we considered:\n\n     \xe2\x80\xa2   size and geographic location of the financial institution and\n     \xe2\x80\xa2   whether examiners had cited the financial institutions for PATRIOT Act violations.\n\nFor the sampled examinations, we reviewed ROEs, supporting work papers, correspondence\nfiles, supervisory and enforcement action information, and other pertinent documentation. We\nselected the sampled examinations from DSC\xe2\x80\x99s Atlanta, Kansas City, New York, and San\nFrancisco regional offices. Additionally, we reviewed system data related to BSA examinations\nfrom DSC\xe2\x80\x99s Virtual Supervisory Information on the Net (ViSION), the automated system used\nby DSC to capture data on the results of DSC\xe2\x80\x99s reports of examination, including identified BSA\nviolations. In addition, we reviewed system data from the Formal and Informal Action Tracking\nSystem, which captures information on supervisory and enforcement actions, and referrals that\nthe FDIC forwarded to FinCEN in compliance with the 2004 information-sharing MOU between\nthe FDIC, the other FBAs, and FinCEN.\n\nAdditionally, we coordinated with the IG Counsel, Office of Investigations, and other Office of\nAudits Directorates and FDIC Office of the Ombudsman.\n\nInternal Controls\n\nWe gained an understanding of the internal control activities relevant to the FDIC\xe2\x80\x99s examination\nprocess for BSA and PATRIOT Act compliance by identifying and reviewing applicable policies\nand procedures related to the FDIC\xe2\x80\x99s examinations for BSA and PATRIOT Act compliance,\nincluding guidance provided to FDIC examiners (FFIEC BSA/AML Examination Manual, FDIC\nRisk Management of Examination Policies, FILs, and Treasury regulations). Additionally, we\ninterviewed DSC officials in the Washington, D.C., office; DSC representatives in selected\nregional and field offices; and the Examiners-in-Charge for the 24 sampled examinations.\n\nOur assessment of internal controls determined that the FDIC has implemented some internal\ncontrols and examination guidance, including interagency examination procedures, related to\nexaminations of financial institution compliance with the PATRIOT Act. However, controls\nrelated to the implementation of PATRIOT Act compliance programs need improvement, as\nindicated in our Results of Audit.\n\n\n\n\n29\n The results of a non-statistical sample cannot be projected to the intended population by standard statistical\nmethods.\n\n                                                         20\n\x0c                                                                                    APPENDIX I\n\n\nReliance on Computer-Based Data\n\nWe used computer-based data and reports that DSC provided from the ViSION system to\nidentify the universe of examinations conducted from September 1, 2005 through October 31,\n2006. Although our audit identified certain inaccuracies in the ViSION data related to BSA and\nPATRIOT Act compliance, the data obtained from ViSION were not significant to our\nconclusions or recommendations. We also used information obtained from the FDIC\xe2\x80\x99s Formal\nand Informal Action Tracking System to identify supervisory and enforcement actions related to\nBSA/AML and PATRIOT Act compliance.\n\nCompliance With Laws and Regulations, Government Performance and Results Act, and\nFraud or Illegal Acts\n\nCompliance with Laws and Regulations. We reviewed applicable laws and regulations on\nPATRIOT Act compliance. We determined that the FDIC has general laws and regulations that\nrelate to its overall examination authority (Section 10(b) of the FDI Act and Section 337.12 of\nthe FDIC Rules and Regulations). The FDIC can rely on its general authority to impose\nenforcement actions under Section 8 of the FDI Act as it relates to operating a financial\ninstitution in an unsafe and unsound manner or noncompliance with laws and regulations to take\naction for PATRIOT Act compliance. The FDIC also has specific authority as outlined in\nSection 8(s) of the FDI Act as it relates to compliance with the BSA.\n\nGovernment Performance and Results Act. We reviewed the FDIC 2005-2010 Strategic\nPlan, the 2006 Annual Performance Plan, and DSC's divisional performance objectives to\ndetermine whether the Corporation and/or DSC had performance goals, objectives, and\nindicators or targets that specifically relate to the examination and enforcement of PATRIOT Act\ncompliance or whether PATRIOT Act issues were generally included in matters related to BSA\nexamination and compliance.\n\nAccording to the FDIC 2006 Annual Performance Plan, the FDIC has established the following\nstrategic goal, objective, and annual performance goals (see Table 4, on the next page) related to\nthe risk management component of the FDIC\xe2\x80\x99s Supervision Program and to the supervision of\nfinancial institutions for compliance with the BSA/AML and PATRIOT Act.\n\n\n\n\n                                                21\n\x0c                                                                                             APPENDIX I\n\n\nTable 4: The FDIC\xe2\x80\x99s Activities to Address the Government Performance and Results Act\n\n  Strategic Goal     Strategic Objective                        Annual Performance Goals\n                                         Conduct on-site risk management examinations to assess the overall\n                                         financial condition, management practices and policies, and\n                                         compliance with applicable laws and regulations of FDIC-supervised\n                                         depository institutions.\n                    FDIC-supervised      Take prompt and effective supervisory action to address issues\nFDIC-supervised\n                    institutions         identified during the FDIC examination of FDIC-supervised\ninstitutions are\n                    appropriately        institutions that receive a composite Uniform Financial Institutions\nsafe and sound.                          Rating of \xe2\x80\x9c4\xe2\x80\x9d or \xe2\x80\x9c5\xe2\x80\x9d (problem institution). Monitor FDIC-supervised\n                    manage risk.\n                                         insured depository institutions\xe2\x80\x99 compliance with formal and informal\n                                         enforcement actions.\n                                         Increase regulatory knowledge to keep abreast of current issues\n                                         related to money laundering and terrorist financing.\nSource: FDIC\xe2\x80\x99s 2006 Annual Performance Plan.\n\nThe FDIC performs risk management examinations that include BSA examinations. Because the\nPATRIOT Act amended the BSA, an examination for PATRIOT Act compliance is included in\nBSA examinations. BSA compliance is a factor in assessing the willingness and ability of\nmanagement to mitigate the operational risks of the bank and compliance with governing laws\nand regulations, which are a significant factor in the overall assessment of the condition of the\ninstitution.\n\nIn addition, according to the 2006 Annual Performance Plan, the FDIC\xe2\x80\x99s supervision program\npromotes the safety and soundness of FDIC-supervised insured depository institutions, protects\nconsumers\xe2\x80\x99 rights, and promotes community investment initiatives by FDIC-supervised insured\ndepository institutions. As the primary federal regulator of all insured state non-member banks,\nthe FDIC performs periodic examinations of those FDIC-supervised insured depository\ninstitutions to assess their overall financial condition, management policies and practices, and\ncompliance with applicable laws and regulations.\n\nIn addition to FDIC corporate objectives, DSC has implemented a performance objective to\nassist in protecting the infrastructure of the U.S. banking system against terrorist financing,\nmoney laundering, and other financial crimes by implementing a comprehensive industry\noutreach and education effort on the BSA, AML, and counter-financing of terrorism issues.\n\nFraud and Illegal Acts. The nature of the audit objective did not require that we assess the\npossibility for fraud and illegal acts. However, during the audit, we were alert to the possibility\nof fraud and illegal acts, and no instances came to our attention.\n\nPrior Coverage\n\nThe FDIC OIG and the Government Accountability Office (GAO) have issued audit reports that\nrelate to examination and enforcement of compliance with Title III of the PATRIOT Act.\nTable 5, on the next page, provides a synopsis of the prior FDIC audit coverage related to BSA\ncompliance.\n\n\n\n                                                     22\n\x0c                                                                                                  APPENDIX I\n\n\n\nTable 5: Synopsis of FDIC OIG Prior Audit Coverage of BSA and PATRIOT Act\nCompliance\nFDIC's Supervision of a Financial Institution's Compliance With the Bank Secrecy Act (Report No. 05-008),\nMarch 2005\nAudit      To determine whether the FDIC adequately fulfilled its responsibilities to monitor and assure a\nObjective financial institution\xe2\x80\x99s compliance with the BSA. We reviewed the (1) circumstances regarding the\n           management of bank assets acquired from the FDIC, (2) adequacy of the FDIC\xe2\x80\x99s supervisory actions\n           at the acquiring institution, and (3) FDIC\xe2\x80\x99s process for reporting BSA violations to the Treasury and\n           law enforcement agencies.\nAudit      The audit concluded that responsibilities to ensure compliance with the BSA were not adequately\nResults    fulfilled by either institution management or the FDIC. Corporate governance at the financial\n           institution and two former institutions was not sufficient to ensure that they met BSA requirements.\n           The FDIC's examinations identified significant BSA violations and deficiencies, but the examinations\n           generally lacked sufficient follow-up on corrective measures promised, but not implemented, by\n           institution management. Consequently, weak BSA compliance programs persisted for extended\n           periods. In addition, the FDIC should have more thoroughly considered the impact of BSA\n           compliance violation and deficiency histories in connection with the Corporation's decision to qualify\n           the potential acquirers of a failed institution.\n\nSupervisory Actions Taken for Bank Secrecy Act Violations (Report No. 04-017), March 31, 2004\nAudit      To determine whether DSC adequately followed up on BSA violations reported in examinations of\nObjective FDIC-supervised financial institutions to ensure that they take appropriate corrective action. We\n           specifically reviewed the FDIC\xe2\x80\x99s process for follow-up and other supervisory actions and the process\n           and procedures for describing deficiencies and citing violations related to BSA noncompliance.\nAudit      The audit identified several areas in which the FDIC needed to strengthen its supervisory oversight\n             T\n\n\n\n\nResults    for BSA violations. Further, the report noted inconsistencies in describing BSA compliance program\n           deficiencies and citing financial institutions for noncompliance. In addition, the FDIC\xe2\x80\x99s supervisory\n           actions had not ensured to the greatest extent possible that institutions were in compliance with both\n           the Treasury\xe2\x80\x99s and the FDIC\xe2\x80\x99s AML requirements. The FDIC needed to strengthen its follow-up\n           process for BSA violations and had initiatives underway to reassess and update its BSA policies and\n           procedures.\n\nThe FDIC\xe2\x80\x99s Implementation of the USA PATRIOT Act (Report No. 03-037), September 5, 2003\nAudit     To determine whether the FDIC had developed and implemented adequate procedures to examine\nObjective financial institutions\xe2\x80\x99 compliance with the PATRIOT Act.\nAudit     The audit concluded that the FDIC\xe2\x80\x99s BSA examination procedures either partially or fully covered\nResults   six of the eight applicable AML provisions contained in Title III of the PATRIOT Act and, therefore,\n          did not cover two of the areas. With respect to those Title III provisions that required new or revised\n          examination procedures, DSC was in the process of coordinating its efforts with other regulatory\n          agencies and was drafting new or revised examination procedures to implement the provisions.\n          However, DSC had not issued any new or revised examination procedures because it was either\n          waiting for the Treasury to issue final rules implementing Title III provisions or coordinating the\n          issuance of uniform procedures with an interagency steering committee.\n\nExaminer Assessment of Bank Secrecy Act Compliance (Report No. 01-013), March 30, 2001\nAudit      To determine the extent to which FDIC safety and soundness examinations reviewed institutions\xe2\x80\x99\nObjective compliance with the BSA.\nAudit      The OIG recommended improvements in the FDIC\xe2\x80\x99s documentation of work related to the BSA.\nResults\nSource: OIG synopsis of FDIC OIG reports related to BSA and PATRIOT Act compliance.\n\n\n\n\n                                                        23\n\x0c                                                                                   APPENDIX I\n\nThe GAO has also conducted audits related to PATRIOT Act compliance as indicated below.\n\nOpportunities Exist for FinCEN and the Banking Regulators to Further Strengthen the\nFramework for Consistent BSA Oversight, GAO-06-386, dated April 2006.\n\nThe audit objective was to determine how (1) federal banking regulators examine for BSA\ncompliance and identify and track violations to ensure timely corrective action and\n(2) enforcement actions are taken for violations of the BSA. The audit recognized the actions\nthat the FDIC and other FBAs, along with FinCEN, have taken to strengthen the framework for\nBSA compliance, including more consistent examination procedures, recent improvements to\nautomated tracking systems used to monitor BSA compliance, and efforts to share BSA-related\ninformation under an information-sharing MOU with FinCEN. However, the report\nrecommended that FBAs and FinCEN:\n\n   \xe2\x80\xa2   communicate emerging risks through updates of the interagency examination manual and\n       other guidance;\n\n   \xe2\x80\xa2   periodically review BSA violation data to determine if additional guidance is needed; and\n\n   \xe2\x80\xa2   jointly assess the feasibility of developing a uniform classification system for BSA\n       compliance problems.\n\n FinCEN and the FBAs supported GAO\xe2\x80\x99s recommendations and expressed commitment to\n ongoing interagency coordination to address them.\n\nUSA PATRIOT Act Additional Guidance Could Improve Implementation of Regulations\nRelated to Customer Identification and Information Sharing Procedures, GAO-05-412, dated\nMay 2005. The audit focused on Sections 326 and 314 of Title III of the PATRIOT Act. The\naudit objective was to determine how:\n\n   \xe2\x80\xa2   the government \xe2\x80\x9cdeveloped the regulations, educated the financial industry on them, and\n       challenges it encountered\xe2\x80\x9d;\n\n   \xe2\x80\xa2   regulators have updated guidance, trained examiners, and examined firms for\n       compliance; and\n\n   \xe2\x80\xa2   the new regulations have affected law enforcement investigations.\n\nThe GAO reported, in part, that although the FDIC and other FBAs have issued examination\nguidance related to Section 326 of the PATRIOT Act, examinations did not always determine\nwhether financial institutions had adequately developed a CIP appropriate for their business lines\nand types of customers. The GAO also reported that this aspect of CIP is critical for ensuring\nthat the identification and verification procedures are appropriate for the types of customers and\naccounts that are at higher risk of being linked to money laundering and terrorist activities. In\naddition, the GAO reported that some examinations also revealed implementation difficulties\nrelated to CIP that could lead to inconsistencies in the way examiners conduct examinations.\n\n\n                                               24\n\x0c                                                                                 APPENDIX I\n\nThe GAO concluded that examiners and financial institutions may not always understand the\nrequirement for a comparison of customer names against any list of known or suspected terrorists\nor terrorist organizations.\n\nThe GAO recommended that:\n\n   \xe2\x80\xa2   the Treasury, through FinCEN, and with the federal financial regulators and state\n       regulatory agencies, develop additional guidance on ongoing implementation issues.\n\n   \xe2\x80\xa2   FinCEN work with the federal financial regulators to develop additional guidance for\n       examiners to improve examinations of compliance with CIP requirements.\n\n\n\n\n                                              25\n\x0c                                                                                                                                          APPENDIX II\n\n        STATUS OF REGULATIONS AND EXAMINATION PROCEDURES FOR PATRIOT ACT REQUIREMENTS\n                                                                                                                                   Procedures included in\n                     a                           PATRIOT Act Amendments to BSA                               Final Rule              FFIEC BSA/AML\n    Title III Section\n                                                                                                            Effective Date       Examination Manual, issued\n                                                                                                                                         July 2006\nSection 311-Special           Allows the Treasury to impose special measures related to foreign                        b                    Yes\n                                                                                                               Various\nMeasures for Financial        jurisdictions, financial institutions, and other accounts identified as\nInstitutions                  primary money-laundering concerns.\n\nSection 312-Special Due       Requires financial institutions that provide private banking accounts or        July 5, 2006                  Yes\nDiligence                     correspondent accounts for foreign persons to establish enhanced due\n                              diligence procedures for those accounts. The section also requires\n                              enhanced due diligence for certain correspondent and private banking\n                              accounts. The effective date for compliance with the rule for new\n                              correspondent and private banking accounts was July 5, 2006 and\n                              October 1, 2006 for existing correspondent and private banking accounts.\n                              .\nSection 313-Prohibition on    Prohibits certain financial institutions from providing correspondent       December 24, 2002                 Yes\nU.S. Correspondent            accounts to foreign banks with no physical presence in any country.\n         c\nAccounts\n\nSection 314-Cooperative       Requires the Treasury to issue regulations to encourage financial           September 26, 2002                Yes\nEfforts to Deter Money        regulators and law enforcement officials to share information with\n            d                 financial institutions regarding persons reasonably suspected of engaging\nLaundering\n                              in terrorist acts or money laundering activities.\n\nSection 319-Forfeiture of     Requires certain financial institutions that maintain correspondent         December 24, 2002                 Yes\n      c                       accounts for foreign banks to maintain records regarding foreign banks.\nFunds\n\nSection 325-Concentration     Authorizes the Treasury to issue regulations concerning the maintenance      Final rule has not               Yes\nAccounts at Financial         of concentration accounts by financial institutions.                                        e\n                                                                                                             been issued\nInstitutions\n\nSection 326-Verification of   Amended the BSA to require that Treasury prescribe regulations to set       June 9, 2003 with an              Yes\nIdentification                minimum standards for identifying customers seeking to open accounts at     implementation date\n                              financial institutions.                                                      of October 1, 2003\n\n\n\n\n                                                                                 26\n\x0c                                                                                                                                               APPENDIX II\n\n\n                                                                                                                                       Procedures included in\n                      a                         PATRIOT Act Amendments to BSA                                   Final Rule               FFIEC BSA/AML\n     Title III Section\n                                                                                                               Effective Date        Examination Manual, issued\n                                                                                                                                             July 2006\nSection 352-Anti-Money        Requires financial institutions to establish anti-money laundering               April 24, 2002                   Yes\n                   f          programs and authorizes the Treasury to issue regulations for minimum           interim final rule\nLaundering Programs\n                              standards. Under existing provisions of the BSA and Section 8 of the FDI\n                              Act, insured depository institutions are already directed to have such\n                              programs. Therefore, financial institutions that have established a BSA\n                              compliance program are already in compliance with the AML\n                              requirements under the PATRIOT Act. In an interim final rule, effective\n                              November 6, 2002, Treasury extended the applicability date for other\n                              financial institutions such as pawnbrokers, insurance companies, and\n                              travel agencies.\n\nSource: OIG review of the FFIEC BSA/AML Examination Manual, dated July 28, 2006; PATRIOT Act Title III requirements; and Federal Register notices.\na\n  Some of the names of Title III sections have been abbreviated for the purposes of this table.\nb\n  Treasury issues a final rule for each of the countries, entities, financial institutions, or foreign jurisdictions designated as a \xe2\x80\x9cprimary money-laundering\nconcern.\xe2\x80\x9d\nc\n  Sections 313 and 319 are usually referred to and discussed together because both sections amend 31 U.S.C. \xc2\xa75318.\nd\n  Cooperative Efforts to Deter Money Laundering is also referred to as Information Sharing.\ne\n  According to the FDIC, after the passage of the PATRIOT Act, the Treasury convened a working group for Section 325, but no rulemaking proposal for this\nsection has yet been issued.\nf\n  The FDIC had already established applicable examination procedures before passage of the PATRIOT Act.\n\n\n\n\n                                                                               27\n\x0c               CUSTOMER IDENTIFICATION PROGRAM REQUIREMENTS\n\nThe final rule for Section 326 of the PATRIOT Act, which became effective on June 9, 2003,\nprovides a framework that includes the minimum standards that financial institutions must\nconsider when identifying customers. Banks should conduct a risk assessment of their customer\nbase and product offerings, and in determining the risks, consider the types of accounts offered;\nmethods of opening accounts; types of identifying information available; and the bank\xe2\x80\x99s size,\nlocation, and customer base. The rule allows banks to develop a CIP tailored to the risk profile\nof the bank and impose risk-based procedures.\n\nAccording to the FFIEC BSA/AML Examination Manual, a financial institution\xe2\x80\x99s CIP must\ninclude procedures:\n\n     \xe2\x80\xa2   specifying information that will be obtained from each customer when accounts are\n         opened;\n\n     \xe2\x80\xa2   verifying the identity of the customer within a reasonable period of time after the account\n         is opened based on the financial institution\xe2\x80\x99s risk;\n\n     \xe2\x80\xa2   providing customers with adequate notice that the bank is requesting information to\n         verify their identities;\n\n     \xe2\x80\xa2   describing when it will use documents, nondocumentary methods, or a combination of\n         both to verify identity;\n\n     \xe2\x80\xa2   specifying the minimum acceptable documentation when a bank uses documentation\n         methods to verify a customer\xe2\x80\x99s identity;\n\n     \xe2\x80\xa2   outlining methods to be used when banks use nondocumentary methods to verify a\n         customer\xe2\x80\x99s identity;\n\n     \xe2\x80\xa2   addressing situations where, based on its risk assessment of a new account opened by a\n         customer who is not an individual, the bank will obtain information about individuals\n         with authority or control over such accounts, including signatories;\n\n     \xe2\x80\xa2   determining whether the customer appears on any federal government list of known or\n         suspected terrorists or terrorist organizations; 30 and\n\n     \xe2\x80\xa2   addressing recordkeeping and retention of identifying information for a period of 5 years\n         after the account is closed (for credit cards, the retention period is 5 years after the\n         account is closed or becomes dormant).\n\n\n30\n  According to the FFIEC BSA/AML Examination Manual, there are no designated government lists specifically\nfor CIP purposes. Customer comparisons to lists required by the OFAC and information sharing between federal\nlaw enforcement agencies and financial institutions, as outlined in 31 C.F.R. 103.100 of the Treasury\xe2\x80\x99s financial\nrecordkeeping and reporting requirements, remain separate and distinct.\n\n                                                        28\n\x0c                                                                                                       APPENDIX IV\n\nIn addition, procedures should address circumstances in which the bank cannot form a\nreasonable belief that it knows the true identity of the customer. A financial institution is\nallowed to reasonably rely on another financial institution to perform its CIP procedures when\ncertain conditions are met, including when the other institution is supervised by a federal\nfinancial regulator and establishes a contractual arrangement for annual certification that the\ninstitution has implemented an AML program.\n\nThe FDIC expanded Section 326.8 of its rules and regulations to require each FDIC-supervised\ninstitution to implement a CIP that complies with 31 C.F.R. 103.121 and incorporate the CIP into\na bank's written, board-approved BSA compliance program (with evidence of such approval\nnoted in the board meeting minutes). The National Commission on Terrorist Attacks Upon the\nU.S. and Monograph on Terrorist Financing 31 stressed the importance of Section 326 of the\nPATRIOT Act and recognized that effective customer identification may deter the use of\nfinancial institutions by money launderers and terrorists.\n\n\n\n\n31\n  The 9/11 Commission Report, Final Report of the National Commission on Terrorist Attacks Upon the U.S. and\nthe accompanying Monograph on Terrorist Financing included information on combating terrorist financing and the\nrole of financial institutions in the United States, including the terrorists\xe2\x80\x99 use of financial institutions in the planning\nand financing of those attacks.\n\n                                                            29\n\x0c                       APPENDIX IV\n\nCORPORATION COMMENTS\n\n\n\n\n          30\n\x0c         APPENDIX IV\n\n\n\n\n.\n\n    31\n\x0c                                                                                                 APPENDIX V\n\n\n\n                     MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\nThis table presents the management response on the recommendations in our report and the\nstatus of the recommendations as of the date of report issuance.\n\n\n     Rec.       Corrective Action: Taken            Expected          Monetary      Resolved:a     Open or\n     No.               or Planned                  Completion         Benefits      Yes or No      Closedb\n                                                      Date\n    1 and 2    DSC will remind examination        March 30, 2008          $0            Yes          Open\n               staff of supervisory\n               expectations and the\n               appropriate utilization of\n               guidance.\n\n\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent\n                   with the recommendation.\n               (2) Management does not concur with the recommendation, but planned alternative action is acceptable\n                   to the OIG.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount.\n                   Monetary benefits are considered resolved as long as management provides an amount.\nb\n  Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the\nrecommendation can be closed.\n\n\n\n\n                                                         32\n\x0c"